AOL security breach puts Web on notice

With each new cycle of high-tech products, computer power soars, plasma TV prices plunge, and cellphone functions multiply. But in the critical arena of privacy and data security, the wheels of progress seem to be moving in reverse.

Although the benefits of a Google search or an eBay purchase for most people outweigh the Internet's many threats and nuisances, this firewall factor is taking a big toll in costs and consumer consternation.

In recent days a furor has emerged over a colossal miscalculation in which a team at America Online (AOL) publicly posted the Internet search topics of hundreds of thousands of customers online. The goal was to support academic research about Web traffic, and AOL users' names were replaced by numbers. But that didn't guarantee anonymity.

The result was a major breach of trust and privacy that went from abstract concern to concrete fear when The New York Times was able to trace the identity of a Georgia woman based on her search queries.

This comes as the Department of Homeland Security this week urged users of Microsoft's Windows software to take steps to shield themselves from the latest malicious software attack. It also follows a string of computer security breaches at several federal agencies this year. The most alarming case happened in May, when the theft of a Department of Veterans Affairs laptop jeopardized the personal information of millions of former US soldiers.

"The danger is growing" as sensitive personal information increasingly resides online or in databases, says Paul Saffo, director of the Institute for the Future in Palo Alto, Calif. "You leave a digital wake behind you in cyberspace, and that trail never fades. That's the problem."

Wake-up call for Web companies

It's a threat to consumers, but also to corporations like AOL or Google. They have much to gain by tracking online behavior – and using the information to develop new products or to target ad pitches to specific people. But they also lose to the extent that customers are put off by intrusive policies, or if data breaches result in lawsuits.

"Think twice about it," Mr. Saffo advises businesses. "You may discover that private information is the new dioxin or the new asbestos.... This is a vast liability."

AOL could face lawsuits from members of the online community who contend that their privacy was violated in the recent lapse.

The chief executive of Google said Wednesday that the company would not change its policies as a result of AOL's mishap. "We are reasonably satisfied ... that this sort of thing would not happen at Google, although you can never say never," chief executive Eric Schmidt said.

At least one rival search engine, Ixquick.com, is trying to build its business on a pledge of privacy – that it won't keep records of users' Internet addresses.

AOL, for its part, has apologized and removed the user data from the Internet, but not before some other groups had copied it to other sites where it remains available.

The challenges hardly mean that society will retreat from the digital age. The trend, indeed, has been toward more online exposure of identity, not less. In the past year, MySpace.com has exploded in Web-traffic rankings as a venue for people to publicize themselves and connect with potentially millions of others.

Experts generally say that society is getting benefits from the technology that far outweigh the damage done by security gaps.

"Some of us yearn for the pioneer days [without computers], but I'm not sure how many of us do," says Stuart Madnick, a computer expert at the Massachusetts Institute of Technology's Sloan School of Management in Cambridge.

He uses the analogy of electricity. The grid sometimes goes dark, but when it's on, people have services such as air conditioning and television that weren't available 100 years ago.

"We just need to do a much better job" at managing the risks that go along with networked computing, he says.

Beefing up security

Often problems crop up because of outsiders – hackers often use e-mail to send viruses that take over other computers.

But an important lesson, Dr. Madnick says, is that serious problems also stem from insiders at corporations or agencies who either accidentally leave information vaults "unlocked" or who maliciously embezzle data.

Among the many solutions, one is to improve internal checks and balances in organizations, so that it's hard for any individual to single- handedly cause a major breach.

It's clear that as computer crime grows, so does the cost of combating it.

People can buy a personal computer for $500, but using it to surf the Web at home is risky without security software that is continuously updated, at a cost of $30 a year or more.

At work, the cubicle set is having to change passwords more often. In the federal government, $4.5 billion of the $65 billion spent annually on information technology now goes for security, a Bush administration budget official said recently.

The good news, Madnick says, is that society is starting to wake up to the challenge. "We're going through ... a slow cultural change," he says. "The awareness aspect is rising."

• Use and update anti-virus and anti-spyware software, and install a firewall.

• Use complex passwords and keep them secret. Back up important files.

• If your computer is hacked or infected by a virus, disconnect it and scan with anti-virus software. Alert your Internet Service Provider and the FBI. Report Internet fraud to the FTC.

• Consider anonymous browsing options such as Anonymizer.com, or a portable flash drive from Stealth Ideas. But don't count on any system to ensure total privacy. Be careful what you post in an online biography.